onContinuePostLogin: The session token is invalid: Unexpected token payload type

Hi,

I’m working on Post Login action that uses a redirect and then tries to access some data from an external website.

when calling validateToken I’m getting an error (“The session token is invalid: Unexpected token payload type”) and I don’t know exactly what the problem is.

The token I’m returning looks like this:

{
  "state": "hKF***",
  "favorite_color": "blue",
  "iat": 1660555965,
  "sub": "auth0|***",
  "iss": "***.azurewebsites.net",
  "exp": 1660556025
}

I’m signing the token with HS256 and a shared key both known to the action and the external service.

1 Like

Hi @felix.seidl,

Welcome to the Auth0 Community!

How are you creating the token? Can you give us a code snippet of your action?

Also have you tried checking your token with jwt.io to see if it is valid?

Let me know,
Dan

Hi @dan.woda,

Thanks for reaching out.

I’m using the ‘jose’ npm package to create the token on on the external site:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setSubject(userId)
    .setIssuer('***.azurewebsites.net')
    .setExpirationTime('1m')
    .sign(secret);

the redirect back to auth0:

window.location.replace(`https://***.eu.auth0.com/continue?state=${stateParameter}&token=${token}`);

onContinuePostLogin:

const payload = api.redirect.validateToken({
      secret: event.secrets.sharedsecret,
      tokenParameterName: "token",
    });

I have checked the token on jwt.io but saw no problems.

Can you share (or DM) an example of the payload? This error suggests the payload is malformed.

I can reproduce this error with the payload from the example (favorite_color: "blue")

1 Like

I also receive this same error, using the same code as above. I verified it on jwt.io as well. Any help here? The error message isn’t giving back any additional context.